How Secure is WordPress?

How secure WordPress is depends primarily on our awareness of its vulnerabilities & external threats. wpCop sums up the resulting risk.

wpCop talks a lot about the weakest link, a chink in our armor, a vulnerability that, threatened, could compromise a site.

In general without doubt, lack of awareness is the weakest link.

So what's to know?

Be clear: you can’t properly secure a WordPress site without knowing its vulnerabilities and the threats it faces.

Creating this awareness is what wpCop‘s Risk section is all about.

Assessing the risk to WordPress

Laying the foundation to our security know-how, What’s The Risk? introduces hackers and their tricks, considering how the former ply the latter against our WordPress sites, whether directly or indirectly.

In a nutshell, here’s the order of play:

Knowing the enemy, the variety of mindset, and the levels of skill
Considering physical security and the threat from social engineering
Weighing up OS security, allow vs. deny policies and open vs. closed source
Mulling over malware in its many shapes and forms
Assessing risks from local devices such as PCs and routers
Treading carefully in the malicious minefield that is the web
Sizing up vulnerabilities to WordPress and its third party code
Addressing the frailties of and attacks to your server-side environment

You may think most of this is irrelevant to WordPress security. You'd be wrong.

So. How Secure is WordPress?

Your site or blog is only as safe as the weakest link.

of your physical security
of your computing discipline
of your online habits
of the devices that assist in administering it or its server
of its configuration plus that of the server and security apps

Generally, our weakest link is a lack of awareness.

Let's be clear, and regardless of your site's hosting arrangement … if a hacker grabs a password from your PC, then all bets are off … if a hacker can borrow your phone, then all bets are off … if a hacker can coerce you to a malicious site, then all bets are off … and that's barely skimming the surface.

Evaluating WordPress threats with wpCop

Awareness is security's best friend. You can patch away but, without a fair grasp of the more general spectrum of risk, your defense is hopeful. wpCop's risk guides fill the knowledge gap. Have some more detail.

WordPress Vulnerabilities 101
WordPress vulnerabilities stem not just from the platform & server but from your entire working environment. wpCop spells out the weak links.
Level of difficulty: Nice and easy to follow. Good warm-up stuff!
Navbar title: WordPress vulnerabilities
WordPress' Risk of Being Hacked: Here's the Calculator
So what is WordPress' risk of being hacked? wpCop helps you prioritize which of your (often many) vulnerabilities are most prone to threat.
Level of difficulty: Simple logic. This should make perfect sense.
Navbar title: calculated risk
Who Are the Hackers? Ethical to Black Hats Defined
Who Are the Hackers? examines white, grey and black hat hackers and notes the key difference for staying on the right side of the law.
Level of difficulty: Easy read, nothing technical.
Navbar title: meet the hackers
What is Malware? A Virus Glossary
From rootkits to data loggers, Trojans, worms, viruses, zero days and much more besides, wpCop details malicious threats in What is Malware?
Level of difficulty: More baby steps but this time, before reading, you may care to sit down.
Navbar title: malware 101
OS Security: Windows vs Macs vs Linux
OS Security: Windows vs Macs vs Linux compares closed & open source operating systems and default-allow & default-deny permissions models.
Level of difficulty: These permissions models are a tiny bit more advanced but very important so pay attention!
Navbar title: Wins vs Tux vs Macs
Physical Security for PCs & Other Assets
A physical security breach could be as basic as losing a phone, so don't. Then again, wpCop explains some less obvious scenarios, so read!
Level of difficulty: Sounds so easy (which it is) that you may make the mistake of ignoring it. No no no.
Navbar title: physical security
Social Engineers: Who They Are and What They Do
Social engineers manipulate a person's trust to gain something which can be used for malicious purposes. wpCop sets out the techniques.
Level of difficulty: The guide is simple as pie. Being conned remains an issue, however.
Navbar title: social engineering
Online Threats: www = World Wide Worry
Online threats incoming! The web is a malicious minefield. wpCop considers the risk and danger, direct and indirect, to our WordPress sites.
Level of difficulty: More "easy". But don't get too comfortable ;).
Navbar title: online threats
Wireless Router Security: Settings, Problems & Solutions
Poor wireless router security settings at home or hotspots easily compromise privacy & data. wpCop explains the problem, and the solution.
Level of difficulty: Not hard to grasp. And you really need to because casual wireless is plain dangerous.
Navbar title: wireless routers
Overall Risk to a Site or Server
Many local and online risks double up to threaten sites and servers as well, and in some cases the opposite is true, as wpCop explains.
Level of difficulty: Merely an introduction to the next few topics.
Navbar title: site-server risk
Access and Authentication Server Issues
A vulnerable application offers a malicious opportunity to misuse the port through which its daemon negotiates traffic. wpCop explains.
Level of difficulty: Not too hard to understand (but not exactly basic, let's be frank.)
Navbar title: server access issues
Lazy Site & Server Administration
Lazy Site & Server Administration illustrates how a casual approach to maintenance is often the precursor to becoming successfully screwed.
Level of difficulty: Simple to follow, easy to forget.
Navbar title: poor administration
Content Scraping, SEO Theft & Spam Defacement
In Content Scraping, SEO Theft & Spam Defacement wpCop explains why content needs securing too ... arguably the most.
Level of difficulty: No real surprises here, to be honest. Should be basic revision.
Navbar title: scraping & spam

OK, that'll keep you busy.

So What’s the Risk?

I make no apology for repeating this point …

There is no silver bullet.

There is no such thing as total WordPress security.

… That doesn't mean we can't have a darned good try.

What we can achieve, over time, is to boost our understanding, discipline our computing practice, harden our devices, lock our locations, consolidate our networks and screen our sites. So let's. Cracking off with awareness.

Even this carries no guarantee. Tell you what though, it's pretty darned tight.

We'll jump in, trying to have a laugh here and there to keep us awake.

wpCop, vpsBible & Guvnr

wpCop is brought to you by Olly Connelly who also helps Linux noobs set up web servers at vpsBible.com. Olly’s blog, Guvnr.com, doubles as the news vehicle for wpCop & vpsBible. The forums offer friendly support.

Thanks for passing by. Hope it helps. Olly.

Follow the Cop & Contact Olly

Or get email updates plus full forum access:

Free Guest Registration